Sunday, October 15, 2017

Networks Sending Bad Traffic

As explained in my Secplicity blog posts I set up some rules to auto-block hosts hitting unexpected ports on a test network. For more information how to do that and about IPs and Internet Registries in general refer to these posts:

Why I Am Seeing This Traffic...
After setting up these rules according to the above I was able to capture hosts that are connecting to ports on my network that have absolutely no business doing so. I may have caught a few legitimate connections in the following and a few fat-fingered requests but no way all of this can be explained away by that.

The most likely solution is that the networks listed below are hosting malicious software on some device and it is reaching out on the Internet looking for other devices to attack.

Another possibility is that the hosts are part of a proxy network or VPN service that is hiding the identity of the person who is actually making the request - and why would someone need to hide their true identity to contact a test network to which it has no business accessing? Additionally, I wonder if all the hosts involved in these proxy and VPN networks have consented to share their Internet access or if they too are hosting malware. I also wonder if the devices given away with Internet service are actually part of the problem and hosting the malware.

If you can think of other reasons why this may be happening, let me know. But if my one small test network is getting hit this many times a day, multiply that by all the hosts on the Internet ...that's a lot of bad traffic. It is also a lot of noise hiding truly malicious traffic.

If You Are Seeing Blocked Outbound Requests on Your Network...Please Investigate!

If you know someone who works for one of these networks could you please ask them to inspect their traffic to see if they are getting outbound requests blocked by the firewall at the other network? In that case that particular host may be hosting malware that is trying to reach out to the other network.

Auto-Blocked Network List

I turned my auto-block list into a blocked-sites list that can be used on a WatchGuard Firebox (Security Appliance) and it is available on github which you can use at your own risk and with the noted caveats - I will maybe update this over time as I discover more: